Tom's Tips for InfoSec Professionals

People entering the unique field of information security are often curious about what to expect and what to do to be successful. Tom has put together a collection of tips, based off of the things he's learned, to help you be the best you can be in the world of infosec.

Information security is a unique discipline. Few other fields combine the constant evolution of threats and technologies with the need to interact effectively with individuals of such varying experiences.

People often ask me, “Tom, what advice would you give to security professionals or someone looking to enter this field”. (Okay, well maybe they don’t really ask me this all that often, but for the sake of this article let’s assume that they do).

Since starting my work at Hurricane Labs, I’ve grown from an entry-level firewall support engineer to having the responsibility of helping steer the course of our work as a whole. I’ve learned an enormous amount over just a few short years in this industry, both professionally and personally. This article serves to list and summarize some of these things and share them with you. Whether you’re a student interested in infosec, new college grad, or seasoned professional, hopefully the ideas I’ve included will help guide you to being the best that you can be.

With that introduction out of the way, let’s get started.

1. Learn something new every day

Infosec (and any technologically inclined field, to a certain degree) is subject to constant change and innovation. Technology evolves quickly, and you must be able to keep up. My best advice is to try learning something new every day. In my six plus years at Hurricane, I can confidently say that there hasn’t been a single day that has gone by where I haven’t learned something new - and I don’t see any sign of that changing any time soon.

Also, don’t limit yourself. As tempting as it is to go home after being at the office for an hour (“I learned something today, time to go home!”), your employer probably won’t appreciate that and that type of mentality also won’t help you improve. Consider it an opportunity to learn even more that day.

That all said, don’t spend 100% of your time focused entirely on work - that will burn you out. Find something you can do as a hobby and use that to take a break from the constant activity of the infosec world. For me, my escape is music - being able to rage on the nearest piano (I have one in my office at Hurricane even) is a great way to quickly burn off some stress and give my mind a break from work.

Most importantly, apply what you've learned to something you already know, or figure out a way to use it to overcome new challenges. I've had a lot of success working through various problems and figuring out a way to find similarities among what I've discovered as well as drawing from my knowledge (both new and old) to deepen my understanding of the new issue.

2. School doesn’t teach you everything

For those of you that are still in school, at whatever level it may be, don’t expect to graduate knowing everything you’ll ever need to know. What you learn in school is likely only a tiny bit of exposure to what you will ultimately need to know as you start your career.

Consider your education a high-level overview of many different things, some of which will be helpful later and others which you may not necessarily see an immediate reason for. That said - don’t dismiss things that you’re learning that might not seem relevant. I’ve experienced many situations where I’ve used random bits of knowledge from college classes, not necessarily security-related, in order to handle things that have come up during my career.

Finally, understand that you won’t use everything that you learned in college later in life. Don’t let this discourage you or get in the way of learning - consider it an opportunity to learn how you learn best, and leverage that later when you’re continuing your education in the real world.

3. You don’t have to know everything, just how to use Google

Within the IT fields, being able to find a solution is more important than simply knowing the answer off the top of your head. The breadth of knowledge, terminology, and technical details we work with exceeds anything that a single person is able to master. Our job isn’t to automatically have a solution to every problem, but knowing how to find information quickly.

The Internet is an excellent source of information and can be a powerful tool when used effectively. There are tons of people that are smarter than you or who have already faced the same problem you’re dealing with. Our industry embraces information sharing through resources such as blogs, forum posts, and Twitter.

Looking back at my college classes, many of the professors allowed us to use a single page “cheat sheet” for exams, where we could write down anything we wanted and use it during the test. While I didn’t realize it at the time, this was probably one of the best exercises to prepare me for the real world: I needed to determine what information was important enough to include in a limited amount of space, and also be able to find that information during the limited timeframe of an exam in order to use it. This is very similar to what I do today, only with Internet resources instead of a handwritten one.

The mantra I encourage here is to “be an expert in something you’ve never seen before”. We aren’t expected to be able to fly a helicopter (https://www.youtube.com/watch?v=6AOpomu9V6Q) having never done so before, but armed with a little knowledge, it should be a goal we can all aspire to.

4. Phone calls and onsite work

It’s inevitable that you will need to work with customers, and this will typically take the form of either phone calls and/or onsite work. At first, this might not be something you’re comfortable doing, but with practice it will become much more natural.

My advice for this - practice your acting skills. Being able to convey confidence in these situations is actually more important than technical skills. Even if you’re the only person onsite or on the phone, you still have your support structure there to back you up. Don’t worry about having to research something that comes up that you aren’t familiar with - as long as you act confidently and don’t appear completely clueless, the client will generally be understanding.

That said - there will be things that come up that you don’t know. When this happens, don’t lie. Find out what the answer is first.

5. Be Humble

Probably one of my biggest peeves with the infosec industry is the culture of rockstars and experts that it breeds. I encourage everyone to avoid getting sucked into this.

None of us knows everything. That includes you, me, and anyone else reading this. We all are good at certain things, and there are others in the industry that are better at other things (and can complement what we are good at). Our strength is in the collective knowledge of the people across our industry, and not just any individual standing alone.

When you’re in a group, don’t be the loudest or most talkative in the room - learn from others. As one of my coworkers, Tim Baldwin, says, “If I’m the smartest person in the room, I don’t want to be in that room”. I totally agree with him there.

Be good at what you do, and recognition will follow.

6. Mistakes

You will make mistakes. We all have and will continue to do so. Making mistakes is inevitable - computers can do some stupid things and people can do some even stupider ones. Not every mistake will directly be your fault, but sometimes it will be the direct result of something you did (or didn’t do).

When you make a mistake, admit it - and fix the problem. The worst thing you can do when making a mistake is to lie about it or blame someone else. But most importantly, learn from mistakes and gain experience from fixing them. This is the most valuable part - it won’t necessarily prevent every future error, but will better equip you to deal with similar issues in the future.

7. Trust

Strive to be someone that your team can count on. When you make a promise, follow through on it. Don’t be the person that says they’ll do something and never does.

Don’t always go for what’s easy or the least amount of work. Take on the challenge that no one wants to solve or that might even seem impossible. The worst that can happen is that nothing will improve or change - but you might come up with an interesting solution to a problem people haven’t been able to solve.

8. Expectations

It’s always a good idea to keep your clients happy. Setting appropriate expectations is the single most effective way to do this.

When setting expectations, always underpromise and overdeliver (not the other way around). Be realistic with what you can do - don’t promise to have something done in a timeframe that isn’t practical or doesn’t allow for unexpected roadblocks to come up along the way.

Let’s say that you need to complete a project for a client. It’s Monday, and you figure you can do the work in two days (assuming no unforeseen issues). An inappropriate expectation would be to say that you’ll finish this on Wednesday, and then have to push this back to Thursday or later. It’s much better to promise that this be completed by Friday, and return it to the client on Thursday instead, a full day ahead of the promised schedule. Clients will love you if you consistently meet or exceed expectations as opposed to always being behind, and the best way to ensure that this happens is to set these expectations appropriately up front.

Finally, don’t make promises you can’t deliver. When presented with an unrealistic deadline, it’s best to establish an alternative timeframe as opposed to agreeing and failing later. You work is often a small piece in a much larger project, and a delay in one place could result in the whole project being postponed.

9. Effort

Whatever you lack in talent, make up in effort. Always try your hardest, and don’t settle for less than 100% of the best that you can do - every single day.

Don’t be afraid to ask questions from your peers and coworkers. But when asking questions, take notes so you don’t ask the same questions twice. There’s nothing wrong with getting a second opinion (something I do myself frequently), but you don’t want to appear as if you’re not respecting your coworkers’ time.

10. Now it’s your turn

Ending a list on nine items seemed weird so I’m making a tenth one, even though this is more of a summary than anything else. If you ignored everything else in this article, I want you to leave with the following: